The RMI server of Oracle JRE JMX deserializes any class when
deserializing authentication credentials. This may allow a remote,
unauthenticated attacker to cause deserialization flaws and execute
their commands.

Workarounds CVE-2016-3427

vCenter Server
Apply the steps of VMware Knowledge Base article 2145343 to vCenter
Server 6.0 on Windows. See the table below for the specific vCenter
Server 6.0 versions on Windows this applies to.

vCloud Director
No workaround identified

vSphere Replication
No workaround identified

vRealize Operations Manager (non-appliance)
The non-appliance version of vRealize Operations Manager (vROps),
which can be installed on Windows and Linux has no default
firewall. In order to remove the remote exploitation possibility,
access to the following external ports will need to be blocked on
the system where the non-appliance version of vROps is installed:
– vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
– vROps 6.1.x: port 9004, 9005, 9007, 9008
– vROps 6.0.x: port 9004, 9005
Note: These ports are already blocked by default in the appliance
version of vROps.

vRealize Infrastructure Navigator
No workaround identified

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-3427 to this issue.

Column 4 of the following table lists the action required to remediate
the vulnerability in each release, if a solution is available.

VMware

Product

Running

Replace with/

Product

Version

on

Apply Patch

vCenter Server

6.0

Windows

6.0.0b + KB 2145343 *

vCenter Server

6.0

Linux

6.0.0b

vCenter Server

5.5

Windows

(5.5 U3b + KB 2144428 **) or 5.5 U3d

vCenter Server

5.5

Linux

5.5 U3

vCenter Server

5.1

Windows

(5.1 U3b + KB 2144428 **) or 5.1 U3d

vCenter Server

5.1

Linux

5.1 U3b

vCenter Server

5.0

Windows

5.0 U3e + KB 2144428 **

vCenter Server

5.0

Linux

5.0 U3e

vCloud Director

8.0.x

Linux

8.0.1.1

vCloud Director

5.6.x

Linux

5.6.5.1

vCloud Director

5.5.x

Linux

5.5.6.1

vSphere Replication

6.1.x

Linux

6.1.1 ***

vSphere Replication

6.0.x

Linux

6.0.0.3 ***

vSphere Replication

5.8.x

Linux

5.8.1.2 ***

vSphere Replication

5.6.x

Linux

5.6.0.6 ***

vROps non-appliance

6.x

All

Apply workaround

vROps appliance

6.x

Linux

Not affected

vRealize Infrastructure Navigator

5.8.x

All

5.8.6

* Remote and local exploitation is feasible on vCenter Server 6.0 and
6.0.0a for Windows. Remote exploitation is not feasible on vCenter
Server 6.0.0b (and above) for Windows but local exploitation is. The
local exploitation possibility can be removed by applying the steps
of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.

** See VMSA-2015-0007 for details.
vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses
CVE-2016-3427 without the need to install the additional patch
of KB 2144428 documented in VMSA-2015-0007.
*** vSphere Replication is affected if its vCloud Tunneling Agent
is running, which is not enabled by default. This agent is used
in environments that replicate data between the cloud and an
on-premise datacenter.
b. Important VMware Workstation and Player for Windows host privilege
escalation vulnerability.

VMware Workstation and Player for Windows do not properly reference
one of their executables. This may allow a local attacker on the host
to elevate their privileges.

VMware would like to thank Andrew Smith of Sword & Shield Enterprise
Security for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2016-2077 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is available.

VMware

Product

Running

Replace with/

Product

Version

on

Apply Patch

VMware Workstation

12.x.x

Any

not affected

VMware Workstation

11.x.x

Windows

11.1.3

VMware Workstation

11.x.x

Linux

not affected

VMware Player

12.x.x

Any

not affected

VMware Player

7.x.x

Windows

7.1.3

VMware Player

7.x.x

Linux

not affected

4. Solution

Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.